Encrypt session ID

SiteAssist · November 22, 2023, 10:42am

Hi,

We would like to implement a bearer authentification mechanism between prodigy and our backend.

Question 1: Can prodigy make a request to an API based on a session id?

We would like to implement a secret key between the two and pass an encrypted session param.

For example the raw session param could be:

{
  userId: 1234,
  organisations: [1,2,3],
  projects: [1,2,3,4,5]
}

Becoming ASDL;FJO;IAWE932523NDLKF;AJ;DFIOS once encrypted by our backend.

The encryption would be injected as a session id in prodigy url https://prodigy.prod.com/?session=ASDL;FJO;IAWE932523NDLKF;AJ;DFIOS

Prodigy can then decrypt it and get session context for the task router.

This will allow us to make the prodigy url public.

Question 2: Would that be possible?

ryanwesslen · November 22, 2023, 7:19pm

hi @SiteAssist,

Prodigy does not have built-in functionality to make requests to an API based on a session ID. However, you can implement this functionality in your backend and use Prodigy's custom recipe to try it.

You can create a custom recipe in Prodigy that sends the session ID as a parameter in the request to your backend API. You can try get_session_name to get the session ID.

Yes, that seems possible. However, there may be tradeoffs or other alternatives.

One downside I see of this is you can't provide your session names in advance using PRODIGY_ALLOWED_SESSIONS. Without it, Prodigy will only become aware of a user session when it starts annotating which can lead to uneven task distribution. This effect is explained in the docs section on session creation below.

One point that's worth noting is we're working on a plugin for Single-Sign-On following the OpenID Connect Authorization Code Flow standard. This will support any OIDC identity provider (e.g. Auth0, Microsoft Entra (formerly Active Directory). I don't have an exact date on when we'll release this but we've been testing. Also, this will likely only be provided as an add-in for company licenses, not personal licenses.

After the holidays (we have a few teammates out this week), I can ask a few teammates on their thoughts.

Topic		Replies	Views
SSO and Dynamic stream issues	2	24	July 22, 2024
Session id and authorised characters in url usage , database , solved	2	704	September 5, 2021
Set session from an http header enhancement , usage , solved , streams	3	748	April 4, 2020
Securing Backend API Call usage , solved , server	4	845	January 20, 2022
Get session using validate_answer?	3	359	July 22, 2022

Encrypt session ID

Related Topics